Critical Patch Updates, Security Alerts and Third Party Bulletin

This page lists announcements of security fixes made in Critical Patch Update Advisories and Security Alerts, and it is updated when new Critical Patch Update Advisories and Security Alerts are released. It is possible to receive notification of new announcements by email, as explained in the page linked below. Security fixes in third party products distributed with Oracle products are announced in the Third Party Bulletin, whose purpose and location is explained below.

Critical Patch Updates

Critical Patch Updates are collections of security fixes for Oracle products. They are available to customers with valid support contracts. They are released on the Tuesday closest to the 17th day of January, April, July and October. The next four dates are:

20 October 2015

19 January 2016

19 April 2016

19 July 2016

Starting with the October 2013 Critical Patch Update, security fixes for Java SE are released under the normal Critical Patch Update schedule.

A pre-release announcement will be published on the Thursday preceding each Critical Patch Update release.

The Critical Patch Updates released to date are listed in the following table.

Security Alerts

Oracle will issue Security Alerts for vulnerability fixes deemed too critical to wait for distribution in the next Critical Patch Update. The Security Alerts released since 2005 are listed in the following table. Click here for Security Alerts released before 2006. Security Advisory Notifications prior to July 2008 for BEA products are located here. Security Sun Alert notifications prior to April 2010 for Sun products are located here.

Third Party Bulletin

Oracle has no control over the timing and content of security fixes created by third parties. As a result, the Third Party Bulletin, rather than Oracle Critical Patch Update and Security Alerts Advisories, was used by Oracle since April 2010 as the mechanism to announce security fixes for third party software distributed with Oracle Solaris.

Starting January 20, 2015, Third Party Bulletins will be published on the same day as Oracle Critical Patch Updates are released. These bulletins will also be updated on the Tuesday closest to the 17th of the following two months after their release (i.e., the two months between the normal quarterly Critical Patch Update publication dates). In addition, Third Party Bulletins may also be updated for vulnerability fixes deemed too critical to wait for the next scheduled publication date.

Oracle conducts an analysis of each security vulnerability addressed by a Critical Patch Update or a Security Alert. The results of the security analysis are reflected in the Critical Patch Update or Security Alert and the associated documentation describing, for example, the type of vulnerability, the conditions required to exploit it and the result of a successful exploit. Oracle provides this information, in part, so that customers may conduct their own risk analysis based on the particulars of their product usage.

As a matter of policy, Oracle will not provide additional information about the specifics of vulnerabilities beyond what is provided in the Critical Patch Update or Security Alert notification, the pre-installation notes, the readme files, and FAQs. Oracle provides all customers with the same information in order to protect all customers equally. Oracle will not provide advance notification or "insider information" on Critical Patch Update or Security Alerts to individual customers. Finally, Oracle does not develop or distribute active exploit code (or "proof of concept code") for vulnerabilities in our products.